The Inquirer-Home

Microsoft XP SP2 problem is a problem, Secunia says

Wed Aug 25 2004, 13:13
Bad drag and drop bug found in Internet Explorer

Dear The Inquirer,

According to an article posted on vnunet (and many other news sites), Microsoft claims that the latest "Drag and Drop" vulnerability (SA12321) in Internet Explorer including XP Service Pack 2 isn't a high risk. This vulnerability allows malicious websites to place any executable file in the Startup Folder, which will be started automatically when restarting.

Quote: "Given the significant amount of user action required to execute an attack, Microsoft does not consider this to be a high risk for customers," the firm said in a statement.

"Microsoft is not aware of any customer impact at this time. However, we will continue to investigate the issue to determine the appropriate course of action to protect our customers." End quote.

Is it fair by Microsoft to say that you expose yourself to an increased risk if you drag and drop an image on a web site?

In addition, two days ago the issue was escalated further by mikx, who has created a sample exploit, which can trigger the same vulnerability if the user simply uses the scroll bar - maybe this is also significant user interaction because now a days everybody uses wheel mice?

In our opinion it is not much of a mitigating factor that a vulnerability requires a user to perform a very usual and common task for an exploit to compromise a system.

According to Internet Storm Center / The SANS Institute this is already being exploited in the wild.

Hopefully, Microsoft will change their opinion after they've learned that malicious sites find this drag and drop vulnerability very useful.

For more information about the vulnerability and possible solutions, see Secunia Advisory SA12321:

Kind regards,
Thomas Kristensen
Toldbodgade 37B
1253 Copenhagen K


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?